This attribute contains information about every account type object.
Description displayed on admin screens.
Name to be displayed on admin screens.
Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). Anyone with adminCount=1 is or was a privileged user of some sort.
Contains the GUID associated with a Full Volume Encryption (FVE) recovery password.
Name.
Contains the password required to recover a Full Volume Encryption (FVE) volume.
The user cannot change the password.
Name of the object in canonical format, e.g. me.domain.com.
The name that represents an object.
The date when this object was created.
Name of the computer as registered in DNS.
If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
Contains the description to display for an object.
The display name for an object.
The LDAP API references an LDAP object by its distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.
This attribute specifies the distinguished names of the groups to which this object belongs.
(Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logon.
This attribute specifies the distinguished names of the groups to which this object belongs.
This attribute specifies the distinguished names of the groups to which this object belongs.
This attribute specifies the distinguished names of the groups to which this object belongs.
This attribute specifies the distinguished names of the groups to which this object belongs.
Whether the computer is a member of any group except the primary group.
The home directory is required.
Computer IPv4 address.
Computer IPv6 address.
This is a permit to trust account for a system domain that trusts other domains.
If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
Is this computer a domain controller. Checks primaryGroupId attribute for values 516 and 521.
This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.
The attribute stores the time until the password expires.
The last time and date that an attempt to log on to this account was made with a password that is not valid. This attribute is not replicated.
The Distinguished Name (DN) of the last known parent of an orphaned object.
The domain controller that authenticated this computer the last time it logged on to the network.
The last time the user logged on.
This is the time that the user last logged into the domain. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
Flags that determine where a computer gets its policy.
The account is currently locked out. Calculated by attribute lockoutTime value and Account Lockout Policy Account lockout duration setting.
The date and time (UTC) that this account was locked out.
The number of times the account has successfully logged on.
The username (the logon name used to support clients and servers running earlier versions of the operating system.)
The logon script is executed.
Contains the distinguished name of the user who is the user's manager. The manager's user object contains a directReports property that contains references to all user objects that have their manager properties set to this distinguished name.
Contains the distinguished name of the user who is the user's manager. The manager's user object contains a directReports property that contains references to all user objects that have their manager properties set to this distinguished name.
Contains the distinguished name of the user who is the user's manager. The manager's user object contains a directReports property that contains references to all user objects that have their manager properties set to this distinguished name.
The date when this object was last changed. This value is not replicated and exists in the global catalog.
Object name.
The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
Computer notes.
The number of times the user tried to log on to the account using an incorrect password. This number is taken from domain controller containing the latest bad password time.
Count of direct group membership.
The operating system service pack ID string (for example, SP3).
The operating system version string, for example, 4.0.
An object class name used to group objects of this or derived classes.
The list of classes from which this class is derived.
The Operating System name, for example, Windows 10.
Gets this entry's parent in the Active Directory Domain Services hierarchy. Return parent name if it is a container.
Gets this entry's parent name in the Active Directory Domain Services hierarchy.
Gets this entry's parent in the Active Directory Domain Services hierarchy. Return parent name if it is an organizational unit.
Returns the full OU name in reverse order.
The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
The date and time that the password for this account was last changed.
The password for this account will never expire.
No password is required.
Contains the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group.
Is object protected from accidental deletion. It is calculated from access control entry (ACE) - deny Delete + DeleteTree. Can take some time to calculate that is why advised to use other filters to narrow down record count.
List of references to RID-Set objects that manage Relative Identifier (RID) allocation.
This attribute specifies the distinguished names of the groups to which this object belongs.
A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal.
Found in the domain-naming context. The distinguished name of a computer under the sites folder.
This is a computer account for a system backup domain controller that is a member of this domain.
The encryption algorithms supported by user, computer or trust accounts.
The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.
(Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.
This attribute specifies the distinguished names of the groups to which this object belongs.
Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
This is a computer account for a computer that is a member of this domain.
Install AD FastReporter 2023 and get your Active Directory reports in just a few clicks!